Hi guys, Someone asked me to send my firewall configuration once I'd figured out how to set it up. I just got it going, courtesy of /usr/doc/faq/howto/Firewall-HOWTO. I'm running kernel 2.0.33 (yes, that old) and I'm only after a filtering firewall so I've used ipfwadm in conjunction with the kernel's built-in packet filtering to implement it. It looks pretty messy and there's probably a dozen better ways of doing it but it does seem to work. I trust all my local users (all two of us): it's only outsiders I'm trying to shut out. The howto document seems to set the firewall up to block source ports from 1024-65535. I decided to block *all* source ports in case someone tries to connect from a lower source port (either from a compromised box or a windows machine). I use the box as a masquerading gateway so there's a bit at the bottom of the script to set that up as well.
--- # first of all accept anything from the local network destined for anywhere ipfwadm -I -i accept -S 127.0.0.1/32 ipfwadm -I -i accept -S 192.168.28.0/24 # Shut out anyone from the outside trying to access www, telnet, # wwwcache, netbios services (tcp and udp; used by Samba), and a few # ports I use internally for controlling the ppp link from the windows boxen. # I'm leaving ftp open because I use it from an outside account. ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 80 ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 23 ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 3128 ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 137:139 ipfwadm -I -a deny -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 137:139 ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 5000 ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 9998:9999 # Now set up forwarding/masquerading # Accept anything from the local network ipfwadm -F -i accept -m -S 127.0.0.1/32 ipfwadm -F -i accept -m -S 192.168.28.0/24 # default policy for everyone else: deny. I don't want my box forwarding # other people's traffic. ipfwadm -F -p deny - Dave David A. Mann, B.E. (Elec) http://www.digistar.com/~dmann/ "Why is it that if an adult behaves like a child they lock him up, while children are allowed to run free on the streets?" -- Garfield
